Three Questions Every CISO Should Be Able to Answer

Working with technical officers and cyber security specialists around the world, our conversations often center around a few key themes – the risk posed by IoT, the difficulty of detecting potentially malicious data transfers, and the overall lack of visibility into user and device activity.

These concerns are largely the result of today’s complex and sprawling network infrastructures, which complicate the task of monitoring subtle, threatening shifts in user and device behavior. Networks today stretch into the cloud, might be connected to industrial control systems, and house a multitude of equipment, and they often span the globe. Advanced cyber-attacks and insider threats are bound to get lost in the noise.

Add IoT devices, virtual machines, and smart cities into the mix, and it becomes nearly impossible to stay ahead of the evolving threat landscape. As a result, CISOs and their security teams face a fundamental problem. They have too many blinds spots and lack the ability to understand what’s a threat, versus what’s legitimate activity.

To understand the scale of the challenge, three questions in particular should be asked of your security team.

1. Can you account for every device on the network?

In my experience, even the most veteran security teams consistently underestimate the number of devices on their network, sometimes by up to 30 percent. And many companies lack the ability to detect anomalous activity on IoT devices and other non-conventional IT.

This fact is not lost on cyber-attackers. By targeting vulnerable IoT devices, they can surreptitiously gain entry to networks that would otherwise appear to be locked down. For instance, one of the more troubling threats I’ve seen involved an architectural firm that began using smart drawing pads to quickly share schematics.

Unbeknown to their security team, the devices were connected to the office Wi-Fi without having changed the default login credentials. An external attacker found the vulnerable smart pads and co-opted them into a large-scale DDoS attack.

IoT vulnerabilities are beginning to be documented, but the solution is far from simple. Most security tools can only monitor certain devices and specific types of threat. As a result, IoT devices often go under the radar and are used as stepping stones into the network or vehicles to siphon data.

2. Do you know where data is traveling, both internally and externally?

In the hack of the Democratic National Committee in 2016, the culprits allegedly exfiltrated 80GB of data – roughly 500MB a day. And yet, even large, anomalous data transfers like these are liable to get lost in the noise of a busy network. More sophisticated attackers may steal or alter much smaller amounts of data at a time, slowly embedding themselves within networks, disguised as normal traffic.

Understanding which movements of data are legitimate, and which are not, is complicated and requires context. You do want to know when a criminal is stealing your customer database, but you don’t want to see alerts every time your graphic designer uploads a video file. You do want to understand if an employee is accidentally sending product design files to a contractor, but you don’t want to impede the interconnectivity that your supply chain relies on.

This brings us to the fundamental problem of a rules-based approach. Every rule has an exception, and the accumulation of exceptions can break the system. Security teams also need to avoid false positives and investigate only genuinely suspicious activity. A deep understanding of normal network data flows, both inside and outside the organization, is needed.

3. Do you have meaningful oversight of how your users behave?

External threats tend to get the most attention, but insider threats represent an equally serious security risk. Especially when it comes from trusted employees, unusual and threatening behavior is notoriously difficult to spot. After all, these threat actors have badges into the building and passwords for the network.

An employee logging in at an unusual time, groups of files being aggregated, an abnormal volume of downloads – on their own, these actions might seem insignificant, and mostly they are. However, together they can be correlated and act as weak indicators that form a compelling picture of an emerging threat.

Insider threat is not all malicious in intent either. Accidental data leaks and small breaches of company policies can expose companies to massive vulnerabilities. For example, a local US government recently detected an employee who visited a legitimate website, clicked on an advertisement, and inadvertently downloaded a highly aggressive banking Trojan. The malware was specifically designed to avoid the corporate firewall and automatically steal online banking credentials. The changes in device behavior were extremely slight, but were indicative of a much larger threat.

Today’s threat landscape is getting more and more sophisticated, and the onset of machine-based attacks threatens to take that sophistication and speed to another level still. There is no such thing as a secure network today, and no security team can answer these three questions with 100 percent confidence. And yet, these are the starting points to initiate a new conversation about cyber security. Facing up to the blinds spots of our networks will help us direct our strategies toward the automation and visibility that we desperately need to anticipate the onset of attackers, before they strike.

Justin Fier is the Director for Cyber Intelligence & Analytics at Darktrace, based in Washington D.C. With over 10 years of experience in cyber defense, Fier has supported various elements in the US intelligence community, holding mission-critical security roles with Lockheed Martin, Northrop Grumman Mission Systems and Abraxas. Fier is a highly-skilled technical officer, and a specialist in cyber operations across both offensive and defensive arenas.